On 28/03/06 08:46 -0800, Andrew Plato wrote:
I for one worry more about downtime than getting hacked.
If I am are well organised, patched and secured in depth,
the possibility for getting hacked is very low. A 'leet
hacker would probably operate under a IPS/IDS
detectonrange anyway.
Hacking is only one aspect. IPS does a lot more that stop hackers. It
also stops internal people from doing things they shouldn't. It also can
spot poorly coded applications, misconfigurations, abuse, theft,
information leakage, viruses, worms, spyware, P2P, chat, rootkits...and
many other things. A well tuned IPS controls more than just exploits. It
can keep unwanted protocols (IRC, NNTP, etc.) out of your network. And
before you say "well a firewall can do that." No it can't. If you run
IRC on port 80 it can slice through most firewalls on the market.
If by firewall, you mean packet filter, then you are correct.
If by firewall, you mean a proxy which validates protocols and is in
default deny mode, then you are just wrong.
If I don't have a proxy for it, I don't let the traffic through works
just fine.
An IPS looks at stuff on the wire, decides what is bad, and blocks it.
A real firewall looks at stuff on the wire, decides what is good, and
allows it. A real firewall hooks into everything (servers, network
equipment, desktops...).
I have a diagram I use in a presentation on the Myths of IPS. You can
see it here: http://www.anitian.com/corp/papers/Library/IPS_myths.pdf
It's the Risk Reduction Bang for the Buck chart. It compares IPS to
other common security/network technologies such as AV, content
filtering, firewalls and packet shapers. A well tuned, well managed IPS
can provide more services and capabilities in one unit than all those
other technologies combined. As I tell people - firewalls and AV are
important and should never be overlooked. But once those protections are
in place, IPS offers the most bang for the buck in security
technologies.
Once you have a firewall in place, you need a system which analyses logs
and traffic which gets through your firewall.
Also - you cannot patch your way to security. Patching merely plugs the
holes you know about. There are, at any given time, hundreds if not
thousands of holes you don't know about. Good IPS manufacturers are
deploying protections before exploits hit the public.
Which is why you need to run secure code in the first place. Bandaids
are not a panacea to vulnerable code.
Really, it would help to compare IPSes with proxies instead of known
broken systems.
Devdas Bhagat
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
